GDPR – A plain English guide to complying
Organisations should be realistic about their data protection compliance targets ahead of the General Data Protection Regulation (GDPR) says Stone King’s Brian Miller. This guide will help you spot the pitfalls
Few organisations are likely to be fully compliant by 25 May 2018 (especially as some key guidance is yet to be published and the Data Protection Bill is yet to pass through parliament). However, the ICO (Information Commissioner’s Office) has indicated that those who fail to engage with the GDPR by the implementation date will be penalised. It may seem obvious, but the key areas to be focusing on immediately are those which are most important to your business.
This article will give you a quick step-by-step guide on how to prepare for the GDPR and help you to identify those important areas ahead of the rapidly approaching deadline.
The Do’s
- Undertake a data audit so that you are able to identify what personal data you hold and process. Identify and note any areas of risk. Identify information such as:
- What personal data you hold about employees, job applicants and customers;
- Where you get this personal data from;
- How you use this personal data, store it and erase it (review and document the entire data lifecycle from collection to deletion); and
- How long you keep personal data for; and any parties to whom you transfer personal data.
As this could be a large undertaking for some organisations, it is important to prioritise based on risk – look at your higher risk activities first (i.e. where you deal with sensitive information or high volumes of personal data).
- Ensure your paper shield is complete
- It is unlikely that your existing data protection policies and privacy notices will be compliant without significant amendment, so these need to be reviewed to ensure that they give accurate detail of the lawful basis for your processing of personal data.
- Make sure that these policies evidence your decision-making processes, and that you keep a copy of any decision-making that falls outside these external facing documents.
- Compile your record of internal processing activities – see:
- Educate internally – provide training to staff so that they are aware of and understand the new data protection requirements. Training should focus in particular on:
- Key personnel – Make sure that key personnel (the board and managers) are in the know. Define roles and responsibilities for data protection compliance within your organisation. Once these key stakeholders have been engaged, it is easier to ensure that appropriate resources/budget can be allocated to your data protection compliance programme.
- Basic points – ensuring that all staff lock computers whilst they are away from their desk and advising that personal records should not be printed unless absolutely necessary, etc. Where possible, look to ensure that data security is designed into all of your processes. Changing the mind-set of employees is likely to be your biggest (and most important) battle.
- Data breaches – organisations must notify the regulator without delay of all personal data breaches if the breach results in a risk to data subjects. If the breach poses a high risk to the data subject’s rights, then the data subject must also be notified.
- Subject Access Requests – these will be dealt with differently under the GDPR. The time frame for employers to comply is now within a month, rather than the previous timeframe of 40 calendar days. The precise meaning of one month is not clear, but is likely to be clarified by the ICO, which will inevitably result in it needing to revise its Subject Access Code of Practice
- Right to be forgotten – employees/customers can require the organisation to delete their personal data if it is no longer necessary for the purposes for which it was collected or if they withdraw their consent.
- Start to review all contracts
- Data processing agreements – in particular, you will need to review any contracts by which you engage a third party to deal with personal data on your behalf. The most common examples of data processors are the outsourced service providers (accounting, payroll, marketing, cloud servers, etc.)
- The agreements need to have specific clauses to ensure that:
- Personal data is only processed on your documented instructions;
- Personal data is secure; and
- Measures are implemented to assist you in complying with employees’ rights.
- Renegotiating these agreements may take time, so it is important to start assessing their suitability as early as possible.
- Give notice of data processing to each individual
- You must give notice of data processing at the earliest possible stage of any recruitment process for job applicants, as well as new hires and before your customers give any personal data to you.
- All information provided to these individuals must be concise, transparent, easily accessible and given in plain language.
- You will also need to explain why you are processing the data. You will do this through privacy notices or a privacy policy (if via a public facing website) and must give the legal basis for the processing. It must be in your or a third party’s ‘legitimate interest’ or necessary for the performance of a contract to which the data subject is a party. Or, if relying on consent, you must also include information on how the employee can withdraw their consent.
- The don’ts (for the organisation and all staff)
- Open email attachments from an unknown source (the majority of data breaches do not stem directly from malicious external attackers, they usually originate from an accidental insider);
- Give your username or password to anyone;
- Download business data onto personal devices unless first authorised by your employer;
- Work in public spaces where other people could view or overhear personal data;
- Log on to public wifi whilst working with personal data;
And the most important don’t…
- Fail to prepare! Take action now to ensure that your data processing will be compliant with the GDPR.
If you are yet to start your GDPR compliance programme, or want some help getting up to speed, Stone King can provide its ‘GDPR Pack’ of seven standard template documents (with internal and explanatory notes on the more complex documents) to assist in achieving GDPR compliance.
By going through these templates and completing them as fits your data use, you should go a very long way towards ensuring compliance.
The editable templates are available for a fixed cost of £995 (plus VAT) (any fine-tuning to your circumstances is not included in this cost), but we will alert you if there are any significant changes that need to be made as further guidance is issued or matters develop up to 25 May 2018.
If you require any further advice or information on updating your practices in line with the GDPR, please contact Brian Miller at [email protected] or call +44 (0)20 7324 1523.